random pop up and i can not run any software

There is only ONE file from GetRunKey that needs to be uploaded and that is runkeys.txt You are not getting GetRunKey to complete (and the other files should all dissappear when GetRunKey completes) This is due to the error you mentioned in your first message. This error message is clearly describe on the download page for GetRunKey and you need to apply that fix. Then attach the runkeys.txt log from GetRunKey.

 

You did not follow the directions in step 0 of the READ ME where it mentions MSconfig. This was also mentioned a second time in the HijackThis instructions. You must set things to Normal Startup mode. After doing this, confinue on with the below steps.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_08
Safety Bar <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\hldrrr.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/ar/big/1.1.62-big/GoogleNav.cab
O20 - Winlogon Notify: winzzd32 - winzzd32.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\hldrrr.exe
C:\Program Files\Common Files\{D033E687-095F-3073-0317-030308120001}\Update.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{D033E687-095F-3073-0317-030308120001}

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes uninstalling means via Add/Remove programs!

Please follow directions properly. I did not ask for a new HJT and GetRunKey log before running the procedure in message # 5. I did however ask for new logs from GetRunKey, ShowNew and HJT after running the procedure and I still need you to complete that procedure and attach the requested logs.

Do not rely on Windows Task Manager for anything! It does not show all running processes and it does not tell you the location that the process is running from. The process manager in HijackThis is much better. There are also better process managers than what is in HijackThis.

 

First just try Spybot!


Did you install all of the below and do you know what they all are and do you use them?

Now Copy the bold text below to notepad. Save it as fixSL.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Can you boot in safe mode now? If not, you will have to work that in the Software Forum because it does not appear to be malware causing the problem.

 

Not until we finish with your malware cleaning. Installing Norton with malware present could cause problems for Norton.

I'll get to those in my next message. This is part of what we have been working on fixing.

I don't understand your reply. First you said yes you installed them and then you said you don't know what they are for?????

If it is not a malware related problem (still to be determined since we are not finished removing malware yet) then it has to be fixed in the Software Forum since we focus on malware removal in this forum.

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\wintems.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!


After attaching the above logs, do the below.

Run Pocket Killbox and select File, Cleanup, Delete All Backups

Now please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

Based on your newfiles.txt log, it appears that Pocket Killbox did not find the below file to delete:

C:\WINDOWS\system32\wintems.exe

Does Panda still detect it?

Don't worry about the log files, we will clean them up during my final steps.

Do you run any software to like this: a Remote Control Tool for any network application that allows users to manage and control PCs or networks from a remote location.

Does the below folder exist:

C:\Program Files\LANVisor\

 

Yes! That would be the only way to know if it is still detecting it.

No.

Doesn't it allow remote administration/control? Could that lvsclnt.exe process be for NetCut? See the below link for more info that comes up about this file:

http://research.sunbelt-software.com/threatdisplay.aspx?name=LANVisor&threatid=48408

The folder name ends in visor not visior. Using search will not find anything that is hidden or mark as a system file/folder. You have to configure search to do that. You should be looking manually using Windows Explorer which is what step 2 of the READ ME was configuring to see hidden files. Step 2 has nothing to do with Windows Search.

 

Just have HJT fix that O4 line which is sufficient for now. If it winds up causing any problems for something you did not realize you needed, you can restore from HJT's backups.

I repeat, step 2 of the READ ME had nothing to do with Search. It only has to do with what shows in Windows Explorer. Windows Search is not the same thing. Looking for something in Windows Explorer is manual navigation. See this: Searching for Hidden Files on WinXP I'm not saying you need to do this, I'm just pointing out that saying Search implies you did something different than using Windows Explorer to manually look for files yourself.

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

It may have somethings to do with this:
http://www.bleepingcomputer.com/startups/atwtusb.exe-410.html


Fix any O4 lines with that hldrrr.exe file name in it like we did in message # 4. Make sure it does not come back. Whatever you do, do not use MSconfig to control startups.

Attach a new HJT log!

Note: I will be out of town until next Monday evening! So unless another malware helper is around to pick this up, you will have to wait until I return.